IETF Logo Mail Archive

Re: [Add] I-D Action: draft-reddy-add-enterprise-split-dns-08.txt

Ben Schwartz <bemasc@google.com> Mon, 24 January 2022 15:20 UTC

Return-Path: <bemasc@google.com>
X-Original-To: add@ietfa.amsl.com
Delivered-To: add@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 50A363A0E2C for <add@ietfa.amsl.com>; Mon, 24 Jan 2022 07:20:31 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -17.599
X-Spam-Level:
X-Spam-Status: No, score=-17.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, ENV_AND_HDR_SPF_MATCH=-0.5, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5, USER_IN_DEF_SPF_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bHNYg-DRCWrI for <add@ietfa.amsl.com>; Mon, 24 Jan 2022 07:20:27 -0800 (PST)
Received: from mail-vk1-xa31.google.com (mail-vk1-xa31.google.com [IPv6:2607:f8b0:4864:20::a31]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CC4A63A0F47 for <add@ietf.org>; Mon, 24 Jan 2022 07:20:14 -0800 (PST)
Received: by mail-vk1-xa31.google.com with SMTP id z15so7139145vkp.13 for <add@ietf.org>; Mon, 24 Jan 2022 07:20:14 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=w19c1bfaMh1Pg0FgtPkG38KgVGsV/F+lMjf1FsHLkY4=; b=k5V8B/fyJPO61wwierIEbpJ98SdXB049qS5lnInoG8YL53vy1Qb9E4p7bddCawwMeA WiizuFrcVEwt8VAsZaF5bqeIU/Fa1wlJs6h4YHJ5vpy9+2POWR7KPVZTsmmbRwBOIlWt Bg1VTCrZdA8pWPcsTX5cJDoOOstVb8gdaEnupRKxpDn/i5i7zD47orXeUD1nXOoOVyp+ FwQ1TB8VBxw8rKQs01cdprm5BO81w9MufHrPxT/Aaw7V/QWGFpk5Zx7tF02yYWuCniTU qgu5LGgdm2zA5DpGkm+XEriFXeCnNoM9H2uojMbU1oITaQ7MyKO7EknmZmOhA74cbRLw AY1w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=w19c1bfaMh1Pg0FgtPkG38KgVGsV/F+lMjf1FsHLkY4=; b=i29UG7saA/92c4CB0AXYK5erCc2I+krsjuPuQJ7BX0JNx+fIVDQCMQU6PF+xswRTwD 3dJsFRZ6oTVg10i48Df5TDmBuZJ4WuDcH+wx4ZVtY6MvzOFLNuSusfDq8WbD6G5OmvZY EaelAdV/2N/e2pLNOY5iLjYbeF4ioq34SBx0r1TPy5mWKoVyqstU3qqe+OusPPn/JA3e nqttcXIzMt+dz5EfJiyCgkTQ/fSaop2S0Pf1p63nkEvQO3t3DcKl37WUqBSEPq1A6GPO 3BmsmHz8Aq5+UzH/j1LTN8be7VEnSoO3pINDcxzcGp3Wt3hrqkr78mj4oEcWJhAc2lct b6UQ==
X-Gm-Message-State: AOAM53063xQesHFDy5qorBCToCtVUsG0uNeqPeWvoO3pEwdBfyVwU/cN IH3uOems3MKML+i8setASGX187m0/bLmTDBKo8+9Yg==
X-Google-Smtp-Source: ABdhPJyqkL2neWLuECcVXdQA4EqYYD79CuweJgAbRICLvgVLBuMwUqXrvsbTZ5UIQSkLbcOTktvhlKZBAWb3htvdG5o=
X-Received: by 2002:a1f:1609:: with SMTP id 9mr5719769vkw.18.1643037612207; Mon, 24 Jan 2022 07:20:12 -0800 (PST)
MIME-Version: 1.0
References: <164273967921.28045.13105308218406662743@ietfa.amsl.com> <CAFpG3geerJH+jWEZpZnHJpEFcOr+81WyOFvWoAaHmR6N4jBZyg@mail.gmail.com> <4182fe-1e8-ef1-d3e5-75b17da23b9e@nohats.ca> <CAHbrMsBvy6F05y+rXzS+KtpOCn4+RCcJnjLdduHfdz8ENCOQzw@mail.gmail.com> <15222769-7BD4-49D4-AC67-DAD86191DB6E@fl1ger.de>
In-Reply-To: <15222769-7BD4-49D4-AC67-DAD86191DB6E@fl1ger.de>
From: Ben Schwartz <bemasc@google.com>
Date: Mon, 24 Jan 2022 10:20:01 -0500
Message-ID: <CAHbrMsDDjvkBBAQnANPC0ENktNdsuf7yuVRu9W43y9UNqZP1fw@mail.gmail.com>
To: Ralf Weber <dns@fl1ger.de>
Cc: Paul Wouters <paul@nohats.ca>, ADD Mailing list <add@ietf.org>, tirumal reddy <kondtir@gmail.com>
Content-Type: multipart/alternative; boundary="0000000000003ae75c05d6558147"
Archived-At: <https://mailarchive.ietf.org/arch/msg/add/XB4vm6ZbemDY_5RUIkBQsW10uvA>
Subject: Re: [Add] I-D Action: draft-reddy-add-enterprise-split-dns-08.txt
X-BeenThere: add@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Applications Doing DNS <add.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/add>, <mailto:add-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/add/>
List-Post: <mailto:add@ietf.org>
List-Help: <mailto:add-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/add>, <mailto:add-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 24 Jan 2022 15:20:31 -0000

On Sun, Jan 23, 2022 at 4:09 AM Ralf Weber <dns@fl1ger.de> wrote:

> Moin!
>
> On 22 Jan 2022, at 1:15, Ben Schwartz wrote:
> > I don't understand the question.  These names are properly rooted in the
> > DNS, so DNSSEC validation of signed zones proceeds as usual, without any
> > need for additional trust anchors.
> That only is true if you are using the same DNSKEYs internally and
> external.
> Something that might not be true if you e.g have your external zone hosted
> by a third party.
>

I think this is fine.  You just publish DS records for both the internal
and external DNSKEYs.  Validation will then succeed for records signed by
either key.

Also keep in mind that if
>         corp.example.com
> is NXDomain externally you need a special/different
>         example.com
> internally to delegate corp.example.com.
>

Agreed.  The claimed zone (which could be "example.com" or "corp.example.com")
must resolve differently internally and externally, or you haven't actually
"split" anything.

I’ve always envisioned DNSSEC split horizon needing an internal trust anchor
> because of this ideally in the recursive resolver and stub resolver.
>

I don't think there's any need for a separate trust anchor.

v2.23.0 | Report a Bug | By Email